NEW YORK STATE SECURITY BREACH REPORTING FORM 
Pursuant to the Information Security Breach and Notification Act 
(General Business Law §899-aa) 


Name and address of Entity that owns or licenses the computerized data that was subject to the breach: 

_Burke Law, P.C._ 

Street Address: _77 College Street, Suite 2C_ 

City: _Burlington_ State: VT Zip Code: _05401_ 


Submitted by : Sue Friedberg_ Title: _Legal Counsel_ Dated:_12/18/2018 

Firm Name (if other than entity): _Buchanan Ingersoll & Rooney, PC_ 

Telephone:_(412) 562-8436_ Email: _sue.friedberg@bipc.com_ 

Relationship to Entity whose information was compromised:_Legal Counsel 


Type of Organization (please select oneb f ] Governmental Entity in New York State; [ ] Other Governmental Entity; 
[ ] Educational; [ ]Health Care; [ ]Financial Services; [ X ]Other Commercial; or [ ]Not-for-profit. 


Number of Persons Affected: 

Total (Including NYS residents):_89_ NYS Residents:_7_ Not Applicable 

If the number of NYS residents exceeds 5,000, have the consumer reporting agencies been notified? [ ] Yes [ ] No 


Dates : Breach Occurred:_l0/2/2018_Breach Discovered:_10/2/2018_Consumer Notification:_11 /24/2 018 


Description of Breach (please select all that apply): 

[ ]Loss or theft of device or media (e.g., computer, laptop, external hard drive, thumb drive, CD, tape); 
[ ]Intemal system breach; [ ]Insider wrongdoing; [ X ]Extemal system breach (e.g., hacking); 

[ ]Inadvertent disclosure; [ ]Other specify):_ 


Information Acquired : Name or other personal identifier in combination with (please select all that apply): 
[ ]Social Security Number 

[ X ]Driver's license number or non-driver identification card number 

[ X JFinandal account number or credit or debit card number, in combination with the security code, access 
code, password, or PIN for the account 


Manner of Notification to Affected Persons ATTACH A COPY OF THE TEMPLATE OF THE NOTICE TO 
AFFECTED NYS RESIDENTS: See Exhibit A attached hereto. 

[ X ] Written [ ] Electronic [ ] Telephone [ ] Substitute notice 

List dates of any previous (within 12 months) breach notifications: _Not Applicable_ 

Identify Theft Protection Service Offered: [ ]Yes [ X ] No 

Duration:__ Provider:_ 

Brief Description of Service^__^^^^^^^^___ 












































Exhibit A 


Template Notice Letters 

Please see attached. Clients of Burke Law, P.C. received a copy of the first notice letter attached 
hereto. Non-clients of Burke Law, P.C. received a copy of the second notice letter attached 
hereto. 




Burke Law 


Attorneys at Law 
Jessica Burke. Esq. 
Zachery Weight, Esq. 
Leah Henderson, Esq. 


«Date» 

«First_Name» «Middle_Name» «Last_Name» 

«Address_1» 

«Address_2» 

«City», «State» «Zip» 

Re: Notice of Data Breach 

Dear «First_Name»: 

We are writing to inform you of a recent incident that may have exposed to unauthorized access information 
that you, someone you know, or a third party provided to Burke Law, P.C. On October 2, 2018, we first 
learned that an unknown person may have accessed one of our employees’ email accounts without 
permission. The information contained in the email account may have included some of your personal 
information. 

We take this matter very seriously because the security of your personal information is very important to you 
and to us. As soon as we learned of this unauthorized access, we immediately launched an investigation to 
understand what happened and initiated actions to try to prevent something like this from happening again. 
We are providing this notice to you as a precautionary measure, to inform you of the incident and to explain 
some steps you can take to protect your information. At this time, we have no information indicating that 
any of your information has been inappropriately used by anyone. 

What Happened 

On October 2, 2018, we first learned that an unknown person may have accessed one of our employees’ 
email accounts without permission. We immediately engaged a leading cybersecurity forensic investigation 
firm to help identify which email accounts were compromised by the attack. At this time, based on the 
forensic investigation, we believe that the attack was contained to a single employee’s email account. Upon 
review of the emails potentially compromised in the attack, we determined that some of these emails 
contained personal information, which is why we are notifying you now. 

What Information Was Involved 


We believe that the information contained in the email account may have exposed your personal 
information, such as name, address, birthdate, driver's license information, and medical information to the 
unknown person. The affected emails may also have contained confidential information about your legal 
matters. We have no reason to believe that the intruder was looking for that type of information, but rather 
was looking for information that can be used to falsify a person’s identity in order to operate a scam or credit 
fraud. We will notify you immediately if we have any concern that this breach may in any way compromise 
your legal position or the outcome of your matter. Again, at this time, we have no information indicating that 
any of your information has been inappropriately used by anyone. 

What We Are Doing 

As part of our investigation, we immediately reset account passwords, made them stronger, and now require 
more frequent password changes. To further enhance security, we added new security features to email 
accounts and strengthened our security monitoring. Additionally, we are assessing our security practices so 
that we are continually vigilant about cybersecurity threats and prepared for attacks. We will continue to 






educate our staff on how to avoid the tricks and tactics that unauthorized individuals may use to gain access 
to our email. 

What You Can Do 

As a precautionary measure, we advise you to take appropriate steps to protect your personal information. 
We recommend that you remain vigilant to the possibility of fraud and identity theft by reviewing and 
monitoring your account statements and free credit reports for any unauthorized activity. If you find 
unauthorized or suspicious activity, you should immediately contact your credit card company, financial 
institution, and/or law enforcement. By law, you are now entitled—at no charge—to place a credit freeze on 
all the credit agency reports about you, and to lift that freeze when you wish at no charge. Information about 
what to do to set up a credit freeze is available here: https://www.consumer.ftc.gov/blog/2018/09/free- 
credit-freezes-are-here. 


For More Information 


Please contact us with any questions and concerns by calling (802) 318-8076 and leaving a message that 
references this letter. 

We sincerely apologize for any inconvenience and concern this incident has caused you. The security of 
your information is very important to us and we are committed to protect your information. 


Sincerely 



Jessica Burke, Esq. 
Owner, Burke Law, P.C. 









Burke Law 


Attorneys at Law 
Jessica Burke. Esq. 
Zachery Weight, Esq. 
Leah Henderson, Esq. 


«Date» 

«First_Name» «Middle_Name» «Last_Name» 

«Address_1» 

«Address_2» 

«City», «State» «Zip» 

Re: Notice of Data Breach 

Dear «First_Name»: 

We are writing to inform you of a recent incident that may have exposed to unauthorized access information 
that you, someone you know, or a third party provided to Burke Law, P.C. On October 2, 2018, we first 
learned that an unknown person may have accessed one of our employees’ email accounts without 
permission. The information contained in the email account may have included some of your personal 
information. 

We take this matter very seriously because the security of your personal information is very important to you 
and to us. As soon as we learned of this unauthorized access, we immediately launched an investigation to 
understand what happened and initiated actions to try to prevent something like this from happening again. 
We are providing this notice to you as a precautionary measure, to inform you of the incident and to explain 
some steps you can take to protect your information. At this time, we have no information indicating that 
any of your information has been inappropriately used by anyone. 

What Happened 

On October 2, 2018, we first learned that an unknown person may have accessed one of our employees’ 
email accounts without permission. We immediately engaged a leading cybersecurity forensic investigation 
firm to help identify which email accounts were compromised by the attack. At this time, based on the 
forensic investigation, we believe that the attack was contained to a single employee’s email account. Upon 
review of the emails potentially compromised in the attack, we determined that some of these emails 
contained personal information, which is why we are notifying you now. 

What Information Was Involved 


We believe that the information contained in the email account may have exposed your personal 
information, such as name, address, birthdate, driver's license information, and medical information to the 
unknown person. Again, at this time, we have no information indicating that any of your information has 
been inappropriately used by anyone. 

What We Are Doing 

As part of our investigation, we immediately reset account passwords, made them stronger, and now require 
more frequent password changes. To further enhance security, we added new security features to email 
accounts and strengthened our security monitoring. Additionally, we are assessing our security practices so 
that we are continually vigilant about cybersecurity threats and prepared for attacks. We will continue to 






educate our staff on how to avoid the tricks and tactics that unauthorized individuals may use to gain access 
to our email. 

What You Can Do 

As a precautionary measure, we advise you to take appropriate steps to protect your personal information. 
We recommend that you remain vigilant to the possibility of fraud and identity theft by reviewing and 
monitoring your account statements and free credit reports for any unauthorized activity. If you find 
unauthorized or suspicious activity, you should immediately contact your credit card company, financial 
institution, and/or law enforcement. By law, you are now entitled—at no charge—to place a credit freeze on 
all the credit agency reports about you, and to lift that freeze when you wish at no charge. Information about 
what to do to set up a credit freeze is available here: https://www.consumer.ftc.gov/blog/2018/09/free- 
credit-freezes-are-here. 


For More Information 


Please contact us with any questions and concerns by calling (802) 318-8076 and leaving a message that 
references this letter. 

We sincerely apologize for any inconvenience and concern this incident has caused you. The security of 
your information is very important to us and we are committed to protect your information. 


Sincerely 



Jessica Burke, Esq. 
Owner, Burke Law, P.C. 








Schnitzer, Steven 


From: 

Sent: 

To: 

Cc: 

Subject: 

Attachments: 



Brennfleck, Michelle Garvey <michelle.brennfleck@bipc.com> 

Wednesday, December 19, 2018 12:25 PM 

BreachSecurity; risk@nysic.ny.gov; security_breach_notification@dos.ny.gov 


New York State Security Breach Reporting Form 
Burke Law _Data Breach Notice Form _ New York.pdf 


Dear Sir or Madam, 

Attached please find a copy of the New York State Security Breach Reporting Form, with attachments, submitted on 
behalf of our client, Burke Law, P.C., in accordance with the Information Security Breach and Notification Act. 

If you require any additional information, please do not hesitate to contact us. 

Thank you, 

Michelle Brennfleck 

Michelle G. Brennfleck 

Associate 

One Oxford Centre 

301 Grant Street, 20th Floor 

Pittsburgh, PA 15219-1410 

412 562 1822 (o) 

217 971 3995 (c) 

michelle.brennfleck@bipc.com 

vCard | Bio | BIPC.com | Twitter | Linkedln 

Buchanan Ingersoll & Rooney PC 


CONFIDENTIAL/PRIVILEGED INFORMATION: This e-mail message (including any attachments) is a private communication sent by a law firm and may 
contain confidential, legally privileged or protected information meant solely for the intended recipient. If you are not the intended recipient, you are 
hereby notified that any use, dissemination, distribution or copying of this communication is prohibited and may be unlawful. Please notify the sender 
immediately by replying to this message, then delete the e-mail and any attachments from your system. 
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